Re: redundant LDAP server with free-radius
got you, mate
I was a kind of confused by
authenticate {
Auth-Type MS-CHAP {
mschap
}
Looking at this makes things more clear.
modules {
mschap {
authtype = MS-CHAP
Still, Failover is a kind of inconsistent/incomplete without pointing
this out (thought it is an indirect detail). Other parts of doc might
well have a reference to that, but IMO it is worth referring to this on
failover page, doc is supposed to help people getting answers ... People
might never come to renaming module instances but for redundancy. Since
it is Wiki, I can probably update it by adding ~200-300 bytes of text
and in case you won't like it, you can always roll back.
A.
on 2/1/2007 4:55 PM Alan DeKok wrote:
Alexei Monastyrnyi wrote:
this works as expected, though it is not that obvious that Auth-Type
name refers to module name, and not just names the method...
It defines the method, but doesn't make the module set Auth-Type to
that method.
Or I might
have missed that from the documentation. Anyway, fail-over section
does not reflect this IMO. Not a note of authenticate sub-section at
all... should it be updated?
Modules having authenticate sections automatically have Auth-Type
definitions created based on their name. This is normally the module
name (i.e. LDAP), unless the module has an *instance* name, in which
case it's the instance name.
The LDAP module sets Auth-Type to it's *instance* name, not to
LDAP. That appears to be the piece you're missing.
This has nothing to do with failover.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant LDAP server with free-radius
Folks,
sorry for bringing this up again.
I am running FreeRADIUS 1.1.4 and OpenLDAP 2.3.32 on two Solaris10/x86
hosts.
Non-redundant config works fine with FreeRADIUS and OpenLDAP on a single
host.
modules {
ldap {
}
}
authorize {
...
ldap
}
authenticate {
...
Auth-Type LDAP {
ldap
}
}
When I use a redundant config as per instruction in docs, I have the
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user in debugs and user is rejected. Please see
config and debug output below. I guess I am mussing some fine detail
here. Your help would be highly appreciated.
modules {
ldap ds-01 {
}
ldap ds-02 {
}
}
authorize {
...
redundant {
ds-02
ds-01
}
}
authenticate {
...
Auth-Type LDAP {
redundant {
ds-02
ds-01
}
}
}
Debug output
rad_recv: Access-Request packet from host 1.1.1.1:3283, id=29, length=47
User-Name = qwer
User-Password = qwer
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = qwer, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for qwer
radius_xlat: '((objectClass=posixAccount)(l=*)(uid=qwer))'
radius_xlat: 'dc=my,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=my,dc=com, with filter
((objectClass=posixAccount)(l=*)(uid=qwer))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user alexeim authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ds-02 returns ok for request 0
modcall: leaving group redundant (returns ok) for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
TIA
A.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
Thanks Alan.
But I do define it when switching from singe server to redundant group, don't I?
Auth-Type LDAP {
ldap
}
to
Auth-Type LDAP {
redundant {
ds-02
ds-01
}
}
Isn't that enough?
A.
Alexei Monastyrnyi wrote:
/ When I use a redundant config as per instruction in docs, I have the
// auth: No authenticate method (Auth-Type) configuration found for the
// request: Rejecting the user in debugs and user is rejected. Please see
// config and debug output below. I guess I am mussing some fine detail
// here. Your help would be highly appreciated.
/
The modules are named ds-01 and ds-02, not LDAP. In this case,
you will have to set Auth-Type to LDAP by hand.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
no arguing here, just clearing up things... :-) stay cool
this works as expected, though it is not that obvious that Auth-Type
name refers to module name, and not just names the method... Or I might
have missed that from the documentation. Anyway, fail-over section
does not reflect this IMO. Not a note of authenticate sub-section at
all... should it be updated?
http://wiki.freeradius.org/Fail-over
authorize {
...
redundant {
ds-02
ds-01
}
}
authenticate {
...
Auth-Type ds-01 {
ds-01
}
Auth-Type ds-02 {
ds-02
}
}
on 2/1/2007 4:04 PM Alan DeKok wrote:
Alexei Monastyrnyi wrote:
But I do define it when switching from singe server to redundant group,
don't I?
Yes.
Isn't that enough?
What did my previous response say?
You can argue with me, or you can try what I suggested, and verify for
yourself that it works.
As a hint: when the LDAP module sets Auth-Type, it sets the value to
the name of the module... which in your case is ds-01, not LDAP.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupmembership_filter for LDAP module [sec: unclas]
Thanks for your advice!
Something is still missing
Here is what I have in LDAP section of radiusd.conf
basedn = dc=mydomain,dc=com
filter =
((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{U
ser-Name}}))
groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{Stri
pped-User-Name:-%{User-Name}}))
groupname_attribute = cn
And in users
DEFAULT Auth-Type = LDAP
DEFAULT LDAP-Group == vpnusers
Service-Type = Administrative-Use
radiusd -X says when reading LDAP section
...
ldap: basedn = dc=mydomain,dc=com
ldap: filter =
((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = yes
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
...
But it says nothing about any search for vpnusers group during login,
which is still successful for users outside the group
A.
on 8/22/2006 9:47 AM Ranner, Frank MR wrote:
-Original Message-
From:
[EMAIL PROTECTED]
g
[mailto:[EMAIL PROTECTED]
adius.org] On Behalf Of Alexei Monastyrnyi
Sent: Tuesday, 22 August 2006 07:12
To: FreeRadius users mailing list
Subject: groupmembership_filter for LDAP module
Hi List.
I am trying to enable group filter to allow only certain LDAP users to
be able to login to my VPN hub.
I run FreeRADIUS 1.0.2 on SPARC Solaris 9
All users are in group
cn=vpnusers,ou=group,dc=mydomain,dc=com
listed as memberUids
In radiusd.conf I have the following
filter =
((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
groupmembership_filter =
(((cn=vpnusers)(objectClass=posixGroup))(memberUid=%{Stripped-User-Nam
e:-%{User-Name}}))
groupmembership_attribute = vpnusers
It doesn't seem to work, no sign of searching for vpnusers in LDAP
server logs and users that are not in this group are still able to log
in.
I may be missing something... Hints of where to look would be highly
appreciated.
Cheers,
A.
Reply:
1. You need to have an LDAP-Group check item in users:
DEFAULT LDAP-Group == vpnusers
Service-Type = Administrative-User
2. You need groupname_attribute. This is ANDed to the filter to provide
(below).
groupname_attribute = cn
3. Your filter is overcomplicated, all you need is this:
((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}
))
The rlm_ldap module adds on (cn=vpnusers) as a result of items 1 and
2.
That's it. As long as the other stuff is right like the binddn, the base
dn this
should at least generate ldap activity in the radiusd -X output.
Regards,
Frank Ranner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groupmembership_filter for LDAP module
Hi List.
I am trying to enable group filter to allow only certain LDAP users to
be able to login to my VPN hub.
I run FreeRADIUS 1.0.2 on SPARC Solaris 9
All users are in group
cn=vpnusers,ou=group,dc=mydomain,dc=com
listed as memberUids
In radiusd.conf I have the following
filter =
((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
groupmembership_filter =
(((cn=vpnusers)(objectClass=posixGroup))(memberUid=%{Stripped-User-Name:-%{User-Name}}))
groupmembership_attribute = vpnusers
It doesn't seem to work, no sign of searching for vpnusers in LDAP
server logs and users that are not in this group are still able to log in.
I may be missing something... Hints of where to look would be highly
appreciated.
Cheers,
A.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
You can try to log passwords sending to FR by NAS and snoop passwords sending by FR to LDAP, + switch on logging on LDAP and check why BIND operation between RF and LDAP fails. The bottom line here is that the password with spec chars is the same all the way down to LDAP server. on 04/03/2006 22:19 Natalia Escalera wrote: Hello, What is needed is that Freeradius accepts passwors even if special charaters are part of them. This is what is happening: pass$word - FR - LDAP - FR (Answer: wrong password) Any ideas of how to solve it? Thank you, Natalia. On 3/3/06, Alexei Monastyrnyi [EMAIL PROTECTED] wrote: Hey. Does one need to handle it in any special way? I have deployment like this, where special chars work as good as normal ones. Cisco VPN clients - Cisco PIX - FreeRADIUS - OpenLDAP. A. on 03/03/2006 00:28 Natalia Escalera wrote: Hello all, Do somebody know how to handle passwords having special characters in between (e.g. $ ) when doing freeradius-ldap authentication? Thank you, Natalia. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hey. Does one need to handle it in any special way? I have deployment like this, where special chars work as good as normal ones. Cisco VPN clients - Cisco PIX - FreeRADIUS - OpenLDAP. A. on 03/03/2006 00:28 Natalia Escalera wrote: Hello all, Do somebody know how to handle passwords having special characters in between (e.g. $ ) when doing freeradius-ldap authentication? Thank you, Natalia. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap_tls.so is missing
Hi List! This might be off-topic but I couldn't find any solution so far. I am running FreeRADIUS 1.1.0 on Solaris 9 (SPARC) and cannot get it configured with PEAP support. Both FreeRADIUS and OpenSSL 0.9.8 are built from sources with no errors or warnings. When I start radiusd with PEAP section in config file, it gives me segmentation fault. truss shows that radiusd tries to open files rlm_eap_tls.so etc. Those files I cannot find among binaries after installation. Does someone have a clue what is going on here? Cheers, A. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + MPPE for PPTP VPN clients
Hi List.
I have a Q about MS-CHAP and MPPE configuration for FreeRADIUS.
OS and software versions
Servers
OS Solaris 9 SPARC
FreeRADIUS 1.0.2
OpenLDAP 2.2.24
SAMBA 3.0.11
Network gateways
Cisco PIX 506, IOS 6.3(4)
PPTP VPN Clients
Windows 2K/XP, MAC OSX.
The RADIUS server we're talking about is a secondary LDAP server and
SAMBA BDC as well.
I'd like to use this FreeRADIUS as a username/password backend for PPTP
VPN clients.
VPN hub in my case is Cisco PIX device, which supports AAA RADIUS for
PPTP VPDN groups.
PPTP VPN against Cisco PIX works perfectly well with local
authentication, i.e when usernames/passwords are configured locally on PIX.
The RADIUS is already configured with OpenLDAP as a backend,
authenticating against userPassword attribute. This part works OK.
The OpenLDAP server is also a backend for my SAMBA domain controller,
the same domain I'm trying to use for user logins via PPTP VPN. All
users have both POSIX and SAMBA attiributes in LDAP.
The following chain works.
Cisco VPN clients --- NAS --- RADIUS --- LDAP
This one doesn't
PPTP VPN clients --- NAS --- RADIUS --- SAMBA --- LDAP
I have configured RADIUS server as following (omitted some lines here).
Modules section
mschap {
authtype = MS-CHAP
use_mppe = yes
#require_encryption = yes
#require_strong = yes
#with_ntdomain_hack = no
#ntlm_auth = /usr/local/samba/bin/ntlm_auth
--request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
}
ldap {
server = localhost
basedn = ou=People,dc=orcsoftware,dc=com
filter =
((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
start_tls = no
password_attribute = userPassword
}
authorize {
preprocess
auth_log
reply_log
mschap
suffix
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
}
For PPTP logins it doesn't work for user MYDOMAIN\username and the
server says (omiting the beginning of debug)
Fri Jun 3 12:50:37 2005 : Debug: modsingle[authenticate]: calling
mschap (rlm_mschap) for request 0
Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: No User-Password
configured. Cannot create LM-Password.
Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: No User-Password
configured. Cannot create NT-Password.
Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: Told to do MS-CHAPv1
with NT-Password
Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: FAILED: No
NT/LM-Password. Cannot perform authentication.
Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: MS-CHAP-Response is
incorrect.
My Q is: should I use ntlm_auth program for getting NTLM passwords?
If yes, should my RADIUS server be join a SAMBA domain which it is
trying to use?
Actually I'm a bit confused here and highlighting how RADIUS obtains or
generates MPPE keys might be heplful.
Any hints or useful URLs would be highly appreciated.
Cheers,
A.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring maximum number of password attempts
Hi. From FreeRADIUS debug I can conclude that if first does search against LDAP with given username and base DN and then, if the search is successful, binds with given credentials. Both posixAccount and shadowAccount in LDAP does not have any attributes to count bad passwords and block users based no that. You can lock user with shadowAccount by butting LK in the beginning of his userPassword attribute value IIRC. But counting 3 or more bad passwords in a raw is a kind of extended logic here. There is an option for this in sambaSamAccount object class, but people complain that it is not working as promised. Just my 2 cents. A. [EMAIL PROTECTED] wrote: Hi all, I am using freeradius to talk to an OpenLDAP server to validate passwords. This all works fine and dandy. If the user enters the right password they get in, if they enter the wrong password the don't. However, I can't find a way of locking out the user if they enter an invalid password three times in a row. I've trolled through the LDAP stuff but can't find anything in there. Is there a way I can create a password policy to do this? |\/|artin -- Senior Network Administrator, NEC (Europe) Ltd. Acton extension: 3379 NEC*Net: 800-44-21-3379 Direct: +44 20 8752 3379 Fax: +44 20 8752 3389 Mobile: +44 7721 869 356 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius documentation
Hi. There is a bit of info here, which is pretty much in correlation with O'Reilly book RADIUS. http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/radius.html The book helped me a lot with configuring simple auth via RADIUS against LDAP userPassword attribute. I'm trying now to find now something for NTLM passwords and MPPE keys to authenticate PPTP VPN clients. Pls drop me a line if you meet it somewhere. A. James Flockton wrote: All, Just wondering if anyone can point me towards to some good documentation for FreeRadius please? I'm wanting to build a box running Radius and using OpenLDAP for authentication detail i.e. user name, IP etc. Many thanks James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter
Hi. Filter here is a usual LDAP filter, you can find some good examples in OpenLDAP documentation or man pages. Or you can check here. http://www.zytrax.com/books/ldap/apa/search.html The complete RFC for this is # 2254. A. José Berenguer wrote: Hello, Anyone can tell me where can I find some instructions about how to configure the filter= option in the module ldap subsection of radiusd.conf? Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
